Re: [Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-06 Thread Alexander Bokovoy

On Mon, 06 Jun 2016, lejeczek wrote:
Users mapping concept (which I do not grasp completely yet) - when 
an AD client (win10) now gets to samba shares okey it is done with 
AD user credentials, win client sees share like: u...@my.dom which 
user is not IPA's user (there are no trusts no syncing).
I don't know details of what you have configured. For IPA with 
trusts

both Kerberos and passwords should work when Samba is running on IPA
master. For IPA client, we have procedure defined for SSSD+Samba. 
For

anything else only Kerberos would work.
I emailed (this thread) most of the configs, if not all, ~two emails 
ago, last Friday.

Configs were not really helpful without a bigger picture.

Now, when you say mapping - this would be winbind/smb 
translating/mapping AD's SIDs to match IPA's UIDs - which is/would 
be different from syncying users from AD => IPA ,correct?

SIDs to UID/GID on the system. You seem to confuse a lot in your
emails -- you are claiming that there is no IPA trust or sync in place
yet you expect somehow things to magically work, I simply don't
understand your situation to comment on it.
not magically, no, it's the same one box, IPA server and at the same 
time samba(non-IPA, might be why smbclient without kerberos does Not 
work) + sssd to an AD.
And now after fixing keytabs all seems to work ok, and no winbind yet 
- thus my only question now is more about concepts, which - yes - I 
don't grasp fully.

Ok.

Yes I confuse, the way I understand is: my linux box now has two 
separate user db backends, two different users catalogs, first one is 
IPA's and the second is AD's via sssd(which samba being an AD's client 
also uses) with no winbind at this point.

Yes, you have two different user db backends, and there is not enough
interoperability between them yet. As you can guess, this is not really
supported -- I would rather not spend time on that myself as there are
more urgent issues to fix that scale better.

Last thing I wonder is that SIDs/UIDs mapping - one: do I want/need 
it? and if one then two: how to achieve it running setup like mine?

It is not a question of whether you want something. It is required, as
Windows world is different from POSIX and something needs to map between
concepts in both worlds. That something is called Samba and it requires
a proper configuration for SID/ID mapping -- which is done by winbindd.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-06 Thread lejeczek



On 06/06/16 12:42, Alexander Bokovoy wrote:

On Mon, 06 Jun 2016, lejeczek wrote:
SMB services with Kerberos require use of 
cifs/ service
principal. Your keytab only has host/ keys, 
and your AD
machine account for the  does not have 
'cifs/' SPN
defined. The latter is what causes smbclient -k to fail 
-- AD DC
doesn't know about 'cifs/' and refuses to 
issue a service

ticket even before smbclient contacts Samba server.

Alexander, thanks!
yes, cifs needs to be in keytab file, smbclient to 
itself(on smb server locally) works now with -k.
I wonder - should it also work with only passwords? It 
does not, for me.
Users mapping concept (which I do not grasp completely 
yet) - when an AD client (win10) now gets to samba shares 
okey it is done with AD user credentials, win client sees 
share like: u...@my.dom which user is not IPA's user 
(there are no trusts no syncing).
I don't know details of what you have configured. For IPA 
with trusts
both Kerberos and passwords should work when Samba is 
running on IPA
master. For IPA client, we have procedure defined for 
SSSD+Samba. For

anything else only Kerberos would work.
I emailed (this thread) most of the configs, if not all, 
~two emails ago, last Friday.


Now, when you say mapping - this would be winbind/smb 
translating/mapping AD's SIDs to match IPA's UIDs - which 
is/would be different from syncying users from AD => IPA 
,correct?
SIDs to UID/GID on the system. You seem to confuse a lot 
in your emails
-- you are claiming that there is no IPA trust or sync in 
place yet you
expect somehow things to magically work, I simply don't 
understand your

situation to comment on it.
not magically, no, it's the same one box, IPA server and at 
the same time samba(non-IPA, might be why smbclient without 
kerberos does Not work) + sssd to an AD.
And now after fixing keytabs all seems to work ok, and no 
winbind yet - thus my only question now is more about 
concepts, which - yes - I don't grasp fully.
Yes I confuse, the way I understand is: my linux box now has 
two separate user db backends, two different users catalogs, 
first one is IPA's and the second is AD's via sssd(which 
samba being an AD's client also uses) with no winbind at 
this point.
Last thing I wonder is that SIDs/UIDs mapping - one: do I 
want/need it? and if one then two: how to achieve it running 
setup like mine?




Another thing, not having winbind in nsswitch (or not 
having it at all), but still having sssd using AD - 
should I be able to access

linux+sssd=>AD box with means like ssh? eg. ssh
m...@my.dom@swir.private.my.dom (I think I had it worked 
with windbind in

nsswitch)
SSSD client as IPA client will work with passwords in AD 
but only if

trust is established between IPA and AD.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-03 Thread Alexander Bokovoy

On Fri, 03 Jun 2016, lejeczek wrote:



On 03/06/16 15:22, Alexander Bokovoy wrote:

On Fri, 03 Jun 2016, lejeczek wrote:

hi users,

I have a samba and sssd trying AD, it's 7.2 Linux.

That linux box is via sssd and samba talking to AD DC and win10 
clients get to samba shares, getent pass sees AD users, samba can 
get to DC's shares and win10's clients shares, all good except...


smbclient @samba, in other words - to itself - fails

session setup failed: NT_STATUS_LOGON_FAILURE
Do you run winbindd? samba in RHEL 7.2 as of now has a regression 
that
if you don't run winbindd, current code forbids establishing 
anonymous

secure channel connections to AD DCs as part of Badlock fixes. The
regression is fixed upstream and RHEL 7.2 packages are currently 
being

tested by Red Hat QE team.

If you start winbindd, this should not affect you -- if the machine 
is
enrolled into Active Directory domain. However, the Kerberos error 
below

makes me thinking you have some problems on AD side as well.

no winbind, I hope to completely relay on sssd.

You cannot -- at least for now. Samba needs translation between SIDs and
POSIX IDs. This translation cannot be done by SSSD alone right now
because there is no separate mechanism to supply that translation into
Samba from the system level.

SSSD can be used as to imitate SID translation interface of winbindd by
providing a libwbclient replacement but this would mean a lot of other
functionality winbindd provides will be missing as SSSD does not
implement it. 


Finally, you can run winbindd in parallel to SSSD. You just need to
ensure they both have the same understanding how to map usernames and
group names to POSIX ID and back. And you don't need to add winbindd to
/etc/nsswitch.conf or PAM configuration.

I should mentioned that I'm fiddling with my sssd so it engages two 
providers, AD and IPA - and it seems to work, like a I tried to 
describe, only that samba smbclient to itself is not working.

thanks!

SMB services with Kerberos require use of cifs/ service
principal. Your keytab only has host/ keys, and your AD
machine account for the  does not have 'cifs/' SPN
defined. The latter is what causes smbclient -k to fail -- AD DC doesn't
know about 'cifs/' and refuses to issue a service ticket even
before smbclient contacts Samba server.


and with smbclient -k

gss_init_sec_context failed with [Unspecified GSS failure. Minor 
code may provide more information: Server 
cifs/swir.private@private.dom not found in Kerberos database]
The statement above says your KDC for PRIVATE.DOM does not know 
anything

about cifs/swir.private.dom principal. Fix that problem and Kerberos
authentication will be working.



SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request: 
NT_STATUS_INTERNAL_ERROR

session setup failed: NT_STATUS_INTERNAL_ERROR

here is a snippet from smb.conf which I thought has relevance, I 
set it up following samba sssd wiki.


 security = ads
realm = CCNR.DOM
workgroup = CCNR

kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.swir.ccnr.keytab
client signing = auto
client use spnego = yes
encrypt passwords = yes
password server = ccnr-winsrv1.ccnr.dom
netbios name = SWIR

template shell = /bin/bash
template homedir = /home/%D/%U

preferred master = no
dns proxy = no
wins server = ccnr-winsrv1.ccnr.dom
wins proxy = no

inherit acls = Yes
map acl inherit = Yes
acl group control = yes


and in samba log:

domain_client_validate: Domain password server not available.

I've tried samba user list, dead silence.

many thanks,

L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-03 Thread lejeczek



On 03/06/16 15:22, Alexander Bokovoy wrote:

On Fri, 03 Jun 2016, lejeczek wrote:

hi users,

I have a samba and sssd trying AD, it's 7.2 Linux.

That linux box is via sssd and samba talking to AD DC and 
win10 clients get to samba shares, getent pass sees AD 
users, samba can get to DC's shares and win10's clients 
shares, all good except...


smbclient @samba, in other words - to itself - fails

session setup failed: NT_STATUS_LOGON_FAILURE
Do you run winbindd? samba in RHEL 7.2 as of now has a 
regression that
if you don't run winbindd, current code forbids 
establishing anonymous
secure channel connections to AD DCs as part of Badlock 
fixes. The
regression is fixed upstream and RHEL 7.2 packages are 
currently being

tested by Red Hat QE team.

If you start winbindd, this should not affect you -- if 
the machine is
enrolled into Active Directory domain. However, the 
Kerberos error below

makes me thinking you have some problems on AD side as well.

no winbind, I hope to completely relay on sssd.
I should mentioned that I'm fiddling with my sssd so it 
engages two providers, AD and IPA - and it seems to work, 
like a I tried to describe, only that samba smbclient to 
itself is not working.

thanks!




and with smbclient -k

gss_init_sec_context failed with [Unspecified GSS 
failure. Minor code may provide more information: Server 
cifs/swir.private@private.dom not found in Kerberos 
database]
The statement above says your KDC for PRIVATE.DOM does not 
know anything
about cifs/swir.private.dom principal. Fix that problem 
and Kerberos

authentication will be working.



SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request: 
NT_STATUS_INTERNAL_ERROR

session setup failed: NT_STATUS_INTERNAL_ERROR

here is a snippet from smb.conf which I thought has 
relevance, I set it up following samba sssd wiki.


  security = ads
 realm = CCNR.DOM
 workgroup = CCNR

 kerberos method = secrets and keytab
 dedicated keytab file = /etc/krb5.swir.ccnr.keytab
 client signing = auto
 client use spnego = yes
 encrypt passwords = yes
 password server = ccnr-winsrv1.ccnr.dom
 netbios name = SWIR

 template shell = /bin/bash
 template homedir = /home/%D/%U

 preferred master = no
 dns proxy = no
 wins server = ccnr-winsrv1.ccnr.dom
 wins proxy = no

 inherit acls = Yes
 map acl inherit = Yes
 acl group control = yes


and in samba log:

 domain_client_validate: Domain password server not 
available.


I've tried samba user list, dead silence.

many thanks,

L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-03 Thread lejeczek



On 03/06/16 15:11, Sumit Bose wrote:

On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote:

hi users,

I have a samba and sssd trying AD, it's 7.2 Linux.

That linux box is via sssd and samba talking to AD DC and win10 clients get
to samba shares, getent pass sees AD users, samba can get to DC's shares and
win10's clients shares, all good except...

smbclient @samba, in other words - to itself - fails

session setup failed: NT_STATUS_LOGON_FAILURE

and with smbclient -k

gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may
provide more information: Server cifs/swir.private@private.dom not found
in Kerberos database]

Which realm is PRIVATE.DOM? What does

 $ klist -k -t /etc/krb5.swir.ccnr.keytab

return?

$ klist -k -t /etc/krb5.swir.ccnr.keytab
Keytab name: FILE:/etc/krb5.swir.ccnr.keytab
KVNO Timestamp Principal
 - 


   4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom
   4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom
   4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom
   4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom
   4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom

and swir runs samba, but I'm trying to sssd together AD & 
IPA, I should have mentioned.
From DNS perspective it's AD = ccnr.dom and IPA = 
private.ccnr.dom, everything seems to resolve OK, both @AD 
and @IPA ends.

And my sssd.conf:

ipa_hostname = swir.private.ccnr.dom
chpass_provider = ipa
ipa_server = swir.private.ccnr.dom
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
#krb5_keytab = /etc/krb5.private.ccnr.keytab

[domain/ccnr.dom]
ad_domain = ccnr.dom
krb5_realm = CCNR.DOM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
auth_provider = ad
krb5_keytab = /etc/krb5.swir.ccnr.keytab

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = private.ccnr.dom, ccnr.dom

[nss]
memcache_timeout = 600
homedir_substring = /home
--

AD DC (to which shares smbclient @swir can get to) shows:

C:\Users\Administrator.CCNR-WINSRV1>setspn -L swir
Registered ServicePrincipalNames for 
CN=SWIR,OU=private,DC=ccnr,DC=dom:

cifs/swir.private.ccnr@ccnr.dom
host/swir.private.ccnr.dom
host/swir.private.ccnr@ccnr.dom
HOST/SWIR

like I said, getnet and id see both domains
If I
$ kinit m...@ccnr.dom
$ klist
Ticket cache: KEYRING:persistent:0:krb_ccache_xoHU5iW
Default principal: m...@ccnr.dom

Valid starting ExpiresService principal
03/06/16 16:37:06  04/06/16 02:37:06  krbtgt/ccnr@ccnr.dom


$ smbclient -L //$(hostname) -U m...@ccnr.dom -k
gss_init_sec_context failed with [Unspecified GSS failure.  
Minor code may provide more information: Server 
cifs/swir.private.ccnr@private.ccnr.dom not found in 
Kerberos database]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request: 
NT_STATUS_INTERNAL_ERROR

session setup failed: NT_STATUS_INTERNAL_ERROR

what I see in last one above is - 
cifs/swir.private.ccnr@private.ccnr.dom
I've just realized, for some reason, and maybe a valid one, 
smbclient don't do - cifs/swir.private.ccnr@ccnr.dom 
which is in the keytabs.


but smbclient fails without -k which I understand should 
then use a password and should be sufficient to authenticate.


many thanks Sumit,
L.


bye,
Sumit


SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR

here is a snippet from smb.conf which I thought has relevance, I set it up
following samba sssd wiki.

security = ads
   realm = CCNR.DOM
   workgroup = CCNR

   kerberos method = secrets and keytab
   dedicated keytab file = /etc/krb5.swir.ccnr.keytab
   client signing = auto
   client use spnego = yes
   encrypt passwords = yes
   password server = ccnr-winsrv1.ccnr.dom
   netbios name = SWIR

   template shell = /bin/bash
   template homedir = /home/%D/%U

   preferred master = no
   dns proxy = no
   wins server = ccnr-winsrv1.ccnr.dom
   wins proxy = no

   inherit acls = Yes
   map acl inherit = Yes
   acl group control = yes


and in samba log:

   domain_client_validate: Domain password server not available.

I've tried samba user list, dead silence.

many thanks,

L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on 

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-03 Thread Alexander Bokovoy

On Fri, 03 Jun 2016, lejeczek wrote:

hi users,

I have a samba and sssd trying AD, it's 7.2 Linux.

That linux box is via sssd and samba talking to AD DC and win10 
clients get to samba shares, getent pass sees AD users, samba can get 
to DC's shares and win10's clients shares, all good except...


smbclient @samba, in other words - to itself - fails

session setup failed: NT_STATUS_LOGON_FAILURE

Do you run winbindd? samba in RHEL 7.2 as of now has a regression that
if you don't run winbindd, current code forbids establishing anonymous
secure channel connections to AD DCs as part of Badlock fixes. The
regression is fixed upstream and RHEL 7.2 packages are currently being
tested by Red Hat QE team.

If you start winbindd, this should not affect you -- if the machine is
enrolled into Active Directory domain. However, the Kerberos error below
makes me thinking you have some problems on AD side as well.



and with smbclient -k

gss_init_sec_context failed with [Unspecified GSS failure.  Minor code 
may provide more information: Server cifs/swir.private@private.dom 
not found in Kerberos database]

The statement above says your KDC for PRIVATE.DOM does not know anything
about cifs/swir.private.dom principal. Fix that problem and Kerberos
authentication will be working.



SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
NT_STATUS_INTERNAL_ERROR

Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR

here is a snippet from smb.conf which I thought has relevance, I set 
it up following samba sssd wiki.


  security = ads
 realm = CCNR.DOM
 workgroup = CCNR

 kerberos method = secrets and keytab
 dedicated keytab file = /etc/krb5.swir.ccnr.keytab
 client signing = auto
 client use spnego = yes
 encrypt passwords = yes
 password server = ccnr-winsrv1.ccnr.dom
 netbios name = SWIR

 template shell = /bin/bash
 template homedir = /home/%D/%U

 preferred master = no
 dns proxy = no
 wins server = ccnr-winsrv1.ccnr.dom
 wins proxy = no

 inherit acls = Yes
 map acl inherit = Yes
 acl group control = yes


and in samba log:

 domain_client_validate: Domain password server not available.

I've tried samba user list, dead silence.

many thanks,

L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-03 Thread Sumit Bose
On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote:
> hi users,
> 
> I have a samba and sssd trying AD, it's 7.2 Linux.
> 
> That linux box is via sssd and samba talking to AD DC and win10 clients get
> to samba shares, getent pass sees AD users, samba can get to DC's shares and
> win10's clients shares, all good except...
> 
> smbclient @samba, in other words - to itself - fails
> 
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> and with smbclient -k
> 
> gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may
> provide more information: Server cifs/swir.private@private.dom not found
> in Kerberos database]

Which realm is PRIVATE.DOM? What does

$ klist -k -t /etc/krb5.swir.ccnr.keytab

return?

bye,
Sumit

> 
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
> Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
> session setup failed: NT_STATUS_INTERNAL_ERROR
> 
> here is a snippet from smb.conf which I thought has relevance, I set it up
> following samba sssd wiki.
> 
>security = ads
>   realm = CCNR.DOM
>   workgroup = CCNR
> 
>   kerberos method = secrets and keytab
>   dedicated keytab file = /etc/krb5.swir.ccnr.keytab
>   client signing = auto
>   client use spnego = yes
>   encrypt passwords = yes
>   password server = ccnr-winsrv1.ccnr.dom
>   netbios name = SWIR
> 
>   template shell = /bin/bash
>   template homedir = /home/%D/%U
> 
>   preferred master = no
>   dns proxy = no
>   wins server = ccnr-winsrv1.ccnr.dom
>   wins proxy = no
> 
>   inherit acls = Yes
>   map acl inherit = Yes
>   acl group control = yes
> 
> 
> and in samba log:
> 
>   domain_client_validate: Domain password server not available.
> 
> I've tried samba user list, dead silence.
> 
> many thanks,
> 
> L.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project